b'   March 25, 2004\n\n\n\n\nExport Controls\nExport-Controlled Technology at\nContractor, University, and Federally\nFunded Research and Development\nCenter Facilities\n(D-2004-061)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nDFARS                 Defense Federal Acquisition Regulation Supplement\nEAR                   Export Administration Regulations\nFFRDC                 Federally Funded Research and Development Center\nIG DoD                Inspector General of the Department of Defense\nITAR                  International Traffic in Arms Regulations\nNISPOM                National Industrial Security Program Operating Manual\n\x0c\x0c           Office of the Inspector General of the Department of Defense\nReport No. D-2004-061                                                     March 25, 2004\n (Project No. D2003LG-0145)\n\n       Export-Controlled Technology at Contractor, University, and\n       Federally Funded Research and Development Center Facilities\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? Civil service and uniformed officers\nresponsible for controlling the release of technology or technical data detrimental to our\nnational security should read this report. The report discusses the steps DoD needs to take\nto identify unclassified export-controlled technology and to ensure that DoD contractors,\nuniversities, and Federally Funded Research and Development Centers are preventing\nunauthorized disclosure to foreign nationals.\n\nBackground. Public Law 106-65, \xe2\x80\x9cNational Defense Authorization Act for FY 2000,\xe2\x80\x9d\nsection 1402, \xe2\x80\x9cAnnual Report on Transfers of Militarily Sensitive Technology to Countries\nand Entities of Concern,\xe2\x80\x9d October 5, 1999, requires that the Inspectors General of the\nDepartments of Commerce, Defense, Energy, and State, in consultation with the Director\nof Central Intelligence and the Director of the Federal Bureau of Investigation conduct\nannual reviews of the transfer of military technologies to countries and entities of concern.\n\nThe United States Government restricts the release of critical technologies, including\ntechnical data, to foreign nationals through the Export Administration Regulations and the\nInternational Traffic in Arms Regulations. U.S. entities are generally required to obtain an\nexport license before providing foreign nationals access to software or technology that is\nsubject to export licensing requirements. Within DoD, multiple offices oversee the\ndevelopment and implementation of export control policies and control foreign nationals\naccess. The Under Secretary of Defense for Acquisition, Technology, and Logistics is\nresponsible for the implementation of DoD technology transfer policies for all research,\ndevelopment, and acquisition matters. The Deputy Under Secretary of Defense for\nTechnology Security Policy and Counterproliferation is responsible for international\ntechnology transfers, including export controls and licensing, and the DoD Technology\nSecurity Program which includes the development of DoD positions on export licenses by\nthe Defense Technology Security Administration. Three major activities within the Office\nof the Under Secretary of Defense for Intelligence also work to control foreign nationals\naccess to export-controlled technology.\n\nResults. DoD does not have adequate processes to identify unclassified export-controlled\ntechnology and to prevent unauthorized disclosure to foreign nationals. Of the\n11 contractors, 6 universities, and 3 Federally Funded Research and Development Centers\nvisited:\n\n       \xe2\x80\xa2   15 relied on the contract to identify whether the technology was export\n           controlled.\n\x0c       \xe2\x80\xa2   Three of the 11 contractors and 1 of the 3 Federally Funded Research and\n           Development Centers were unaware of Federal export laws and regulations\n           related to export-controlled technology.\n\nAs a result, at least two contractors and one university granted foreign nationals access to\nunclassified export-controlled technology without proper authorization. Unauthorized\naccess to unclassified export-controlled technology could allow foreign nations to counter\nor reproduce the technology and thus reduce the effectiveness of the technology,\nsignificantly alter program direction, or degrade combat effectiveness. Guidance on\nexport-controlled technology should be developed and implemented to be commensurate\nwith acquisition and classification guidance. Specifically, guidance should be developed to\ninclude responsibilities and requirements for DoD personnel and contractor, university, and\nFederally Funded Research and Development Center facilities. In addition, because DoD\nprogram managers and contracting officers are not required to incorporate specific Federal\nexport requirements into the contract, those facilities who rely on the contract to identify\nexport-controlled technology may not be aware that export-controlled technology exists.\nTherefore, the Defense Federal Acquisition Regulation Supplement should be changed to\nincorporate the requirements of Federal export laws and regulations and to ensure that DoD\nprogram managers and contracting officers incorporate the requirements into contractual\nlanguage. Implementing the recommendations in this report should correct the\nmanagement control weaknesses identified for both the Under Secretary of Defense for\nAcquisition, Technology, and Logistics and the Deputy Under Secretary of Defense for\nTechnology Security Policy and Counterproliferation. See the finding for the detailed\nrecommendations.\n\nManagement Comments. The Under Secretary of Defense for Acquisition, Technology,\nand Logistics concurred with the recommendation. Specifically, the Under Secretary of\nDefense for Acquisition, Technology, and Logistics will initiate the process of changing\nthe Defense Federal Acquisition Regulation Supplement in accordance with the\nrecommendation, and the process will take an estimated 10 months to complete. The\nDirector, Defense Research and Engineering will ensure that the DoD Components that\nissue science and technology contracts are aware of the Federal export regulations and the\nplanned changes to the Defense Federal Acquisition Regulation Supplement. The Director,\nDefense Research and Engineering will also ensure that the science and technology\ncontracts comply with those changes. The Deputy Under Secretary of Defense for\nTechnology Security Policy and Counterproliferation concurred in general with the finding\nand recommendation. Specifically, the Deputy Under Secretary of Defense for Technology\nSecurity Policy and Counterproliferation stated that the revised guidance will be applicable\nto all export-controlled technology and should be issued in April 2004. However, she also\nstated that guidance already exists which clearly prohibits the transfer of controlled\ntechnology by all Government and private entities without an export license, authorization,\nor exemption; includes detailed Commerce Control List and U.S. Munitions List item\nreferences; and establishes points of contact to answer licensing questions. In addition, the\nDeputy Under Secretary of Defense for Technology Security Policy and\nCounterproliferation stated that teams of functional area experts will soon be available to\nbrief program managers, research center personnel, and other interested parties on request.\nSee the Finding section of the report for a discussion of the management comments and the\nManagement Comments section of the report for the complete text of the comments.\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                             i\n\nBackground                                                                   1\n\nObjectives                                                                   3\n\nFinding\n     DoD Export-Controlled Technology                                        5\n\nAppendixes\n     A. Scope and Methodology                                                21\n          Management Control Program Review                                  22\n     B. Prior Coverage                                                       24\n     C. Report Distribution                                                  26\n\nManagement Comments\n     Under Secretary of Defense for Acquisition, Technology, and Logistics   29\n     Deputy Under Secretary of Defense for Technology Security Policy and\n        Counterproliferation                                                 32\n\x0c    This audit was performed to meet the requirement of Public Law 106-65,\n    \xe2\x80\x9cNational Defense Authorization Act for FY 2000,\xe2\x80\x9d section 1402, \xe2\x80\x9cAnnual\n    Report on Transfers of Militarily Sensitive Technology to Countries and Entities\n    of Concern,\xe2\x80\x9d October 5, 1999, which states:\n\n    \xe2\x80\x9c(a) ANNUAL REPORT. \xe2\x80\x93 Not later than March 30 of each year beginning in\n    the year 2000 and ending in the year 2007, the President shall transmit to\n    Congress a report on transfers to countries and entities of concern during the\n    preceding calendar year of the most significant categories of United States\n    technologies and technical information with potential military applications.\n\n    \xe2\x80\x9c(b) CONTENTS OF REPORT. \xe2\x80\x93 The report required by subsection (a) shall\n    include, at a minimum, the following:\n\n                      *       *      *       *       *       *      *\n\n           \xe2\x80\x9c(3) An audit by the Inspectors General of the Departments of Defense,\n                State, Commerce, and Energy, in consultation with the Director of\n                Central Intelligence and the Director of the Federal Bureau of\n                Investigation, of the policies and procedures of the United States\n                Government with respect to the export of technologies and technical\n                information referred to in subsection (a) to countries and entities of\n                concern.\xe2\x80\x9d\n\n    This report addresses the DoD portion of the required FY 2004 interagency\n    review. An interagency report will also be issued.\n\n\nBackground\n    Both the Department of Commerce\xe2\x80\x99s Export Administration Regulations (EAR),\n    15 Code of Federal Regulations, part 730, and the Department of State\xe2\x80\x99s\n    International Traffic in Arms Regulations (ITAR), 22 Code of Federal\n    Regulations, part 120, are U.S. Statutes and regulations that restrict the export of\n    technology or technical data to foreign nationals working in or visiting the United\n    States.\n\n    Department of Commerce Requirements. The Commerce Bureau of Industry\n    and Security controls the export of dual-use commodities using the authority\n    provided in the Export Administration Act of 1979, as amended (appendix\n    section 2401, title 50, United States Code [50 U.S.C. 2401]). The Export\n    Administration Act expired in August 1994. However, the President, under\n    authority of the International Emergency Economic Powers Act (50 U.S.C. 1701),\n    continued the provision of the Export Administration Act through Executive\n    Orders 12924 and 13222, \xe2\x80\x9cContinuation of Export Control Regulations,\xe2\x80\x9d\n    August 19, 1994, and August 17, 2001, respectively. Each year thereafter, and\n    most recently on August 7, 2003, the President issued \xe2\x80\x9cNotice Continuation of\n    Emergency Export Control Regulations,\xe2\x80\x9d continuing the emergency declared by\n    Executive Order 13222. The EAR implements the Export Administration Act\n    requirements for executing the export licensing process for dual-use commodities\n\n\n                                         1\n\x0cand contains the Commerce Control List that identifies dual-use commodities,\ntechnology, or software subject to the process and conditions under which they\nmay be exported.\n\nAny software or technology that is subject to the EAR and is released to a foreign\nnational is considered an export to the home country of the foreign national.\nThose exports are commonly referred to as deemed exports. Software or\ntechnology can be exported through:\n\n   \xe2\x80\xa2   visual inspection of U.S. equipment and facilities by foreign nationals,\n\n   \xe2\x80\xa2   oral exchanges of information in the United States or abroad, or\n\n   \xe2\x80\xa2   the application of personal knowledge or technical experience acquired in\n       the United States and applied abroad.\n\nU.S. entities are generally required to obtain an export license before providing\nforeign nationals access to software or technology that is subject to export\nlicensing requirements. For the purpose of consistency within the report, we will\nuse the term export-controlled technology to refer to deemed exports as defined\nby the EAR.\n\nDepartment of State Requirements. The Department of State Office of Defense\nTrade Controls is responsible for registering persons or contractors approved in\ncontrolling the export of defense-related articles and services, approving or\ndenying export licenses, and ensuring compliance with the Arms Export Control\nAct (22 U.S.C. 2778). The ITAR implements the Arms Export Control Act and\ncontains the U.S. Munitions List, which identifies Defense articles, services, and\nrelated technical data that may be exported, as well as the conditions under which\nmunitions may be exported. That list includes those items, technologies, and\nservices that are inherently military in character and could, if exported, jeopardize\nnational security or foreign policy interests of the United States.\n\nThe ITAR states that, unless otherwise exempted, an export license is required for\nthe oral, visual, or written disclosure of technical data to foreign nationals in\nconnection with visits by U.S. citizens to foreign countries and visits by foreign\nnationals to the United States. For the purpose of consistency within the report,\nwe will use the term export-controlled technology to refer to technical data as\ndefined by the ITAR.\n\nResponsible Offices Within DoD. The United States controls the export of\ncertain goods and technologies for national security, foreign policy, and\nnonproliferation reasons. DoD has designated multiple offices to develop and\nimplement export control policy and to control foreign nationals access.\n\n       Under Secretary of Defense for Acquisition, Technology, and\nLogistics. The Under Secretary of Defense for Acquisition, Technology, and\nLogistics is responsible for research and development, advanced technology,\nproduction, logistics, acquisition policies, and procurement. The Under Secretary\nof Defense for Acquisition, Technology, and Logistics is also responsible for the\nimplementation of DoD technology transfer policies for all research,\n\n\n                                      2\n\x0c    development, and acquisition matters and has designated the Director of Defense\n    Research and Engineering as the advisor for DoD scientific and technical matters.\n    The Director of Defense Research and Engineering is also responsible for\n    oversight of science and technology programs performed by institutions of higher\n    learning and industry. The Director of Defense Procurement and Acquisition\n    Policy is responsible for the development and issuance of the Defense Federal\n    Acquisition Regulation Supplement (DFARS).\n\n            Under Secretary of Defense for Policy. The Under Secretary of Defense\n    for Policy is responsible for the formation of defense policy and the integration\n    and oversight of DoD policies and plans to achieve national security objectives to\n    include international technology transfers. The Deputy Under Secretary of\n    Defense for Technology Security Policy and Counterproliferation is responsible\n    for policies on international technology transfers, including export controls and\n    licensing, and the DoD Technology Security Program, which includes the\n    development of DoD positions on export licenses by the Defense Technology\n    Security Administration.\n\n            Under Secretary of Defense for Intelligence. Three major activities\n    within the Office of the Under Secretary of Defense for Intelligence work to\n    control foreign nationals access to export-controlled technology. Subsequent to\n    the events of September 11, 2001, the Counterintelligence Field Activity was\n    formed, which is comprised of a variety of DoD counterintelligence activities, and\n    acts as the liaison between DoD Components and law enforcement agencies that\n    exist outside of DoD. The Defense Intelligence Agency performs background\n    checks on foreign nationals that may be granted access to export-controlled\n    technologies and recommends whether to grant or deny the export license. The\n    Defense Security Service is responsible for providing DoD with a full range of\n    security support services such as industrial security training, awareness, and\n    compliance reviews for the protection of classified data, including that which is\n    export controlled.\n\n            In 2003, the Defense Security Service issued its annual study,\n    \xe2\x80\x9cTechnology Collection Trends in the U.S. Defense Industry 2003,\xe2\x80\x9d which\n    summarizes reports of suspicious foreign activity. For calendar year 2002,\n    818 incidents of suspicious activity were reported from 84 countries. Those\n    incidents continue to increase from year to year with information systems, sensors\n    and lasers, and electronics among the most targeted technologies. The extent of\n    foreign interest in and methods of collection for those technologies have changed\n    over the years, from passive attempts to more sophisticated activities. Some of\n    the top methods used for gaining access to targeted technology are as subtle as\n    requests for scientific and technical data, attempts to acquire technology, and\n    inappropriate conduct by foreign nationals during visits to U.S. facilities.\n\n\nObjectives\n    Our overall audit objective was to evaluate the adequacy of DoD policies\n    and procedures regarding export-controlled technology to prevent the transfer of\n    technologies and technical information with potential military application to\n\n\n                                        3\n\x0ccountries and entities of concern. Specifically, we evaluated whether critical\ntechnologies and information associated with DoD contracts to contractor,\nuniversity, and Federally Funded Research and Development Center (FFRDC)\nfacilities were effectively controlled. We also reviewed the management control\nprogram as it relates to the overall objective. See Appendix A for a discussion of\nthe scope and methodology and our review of the management control program.\nSee Appendix B for prior coverage related to the objectives.\n\n\n\n\n                                     4\n\x0c           DoD Export-Controlled Technology\n           DoD does not have adequate processes to identify unclassified export-\n           controlled technology and to prevent unauthorized disclosure to foreign\n           nationals. Of the 11 contractors, 6 universities, and 3 FFRDC visited:\n\n                   \xe2\x80\xa2   15 relied on the contract to identify whether the technology\n                       was export controlled.\n\n                   \xe2\x80\xa2   Three of the 11 contractors and 1 of the 3 FFRDCs were\n                       unaware of Federal export laws and regulations related to\n                       export-controlled technology.\n\n           While DoD has established clear guidance to identify and prevent\n           unauthorized disclosure of critical data for its acquisition and classified\n           programs, DoD has not clearly defined policy for unclassified export-\n           controlled technology. Specifically, DoD Directive 2040.2, \xe2\x80\x9cInternational\n           Transfers of Technology, Goods, Services, and Munitions,\xe2\x80\x9d does not\n           delineate DoD responsibilities to identify export-controlled technology.\n           DoD Directive 2040.2 also does not provide sufficient policies and\n           procedures to obtain reasonable assurance that facilities obtain a license or\n           prevent foreign nationals from unauthorized access to unclassified export-\n           controlled technology by ensuring that those requirements are included in\n           the contract. In addition, the DFARS does not contain a standard clause\n           that requires the facility to comply with Federal export laws and\n           regulations related to export-controlled technology. As a result, at least\n           two contractors and one university granted foreign nationals access to\n           unclassified export-controlled technology without an export license or\n           other authorized approval or qualifying for an exemption.\n\n\nExport Control Guidance\n    National Industrial Security Program. DoD Directive 5220.22, \xe2\x80\x9cDoD\n    Industrial Security Program,\xe2\x80\x9d December 8, 1980, was issued to ensure that\n    classified information released to industry is properly safeguarded. Subsequently,\n    Executive Order 12829, \xe2\x80\x9cNational Industrial Security Program,\xe2\x80\x9d January 6, 1993,\n    established a national industrial security program to protect and safeguard Federal\n    Government classified information. Pursuant to Executive Order 12829, DoD\n    promulgated DoD Manual 5220.22, \xe2\x80\x9cNational Industrial Security Program\n    Operating Manual,\xe2\x80\x9d (NISPOM) January 1995, with incorporated Change One\n    (July 1997) and Change Two (February 2001), which prescribes the procedures\n    necessary to protect classified information. The NISPOM designates that both the\n    Under Secretary of Defense for Policy and the Under Secretary of Defense for\n    Intelligence are responsible for the development and approval of security policy\n    for DoD and that the Defense Security Service is responsible for administering\n    the National Industrial Security Program. The NISPOM prescribes specific\n    security requirements necessary for safeguarding classified information in the\n    interest of national security. Contractors cleared to access classified data,\n    including that which is export controlled, are required to implement the security\n\n\n                                         5\n\x0c           requirements and safeguards necessary to prevent unauthorized disclosure. The\n           NISPOM states that contractors shall not disclose export-controlled information\n           and technology (classified or unclassified) to a foreign person unless such\n           disclosure is authorized by an export license, other authorization from a U.S.\n           Government authority, or an exemption to export licensing requirements. When\n           foreign nationals are assigned to or employed by a cleared contractor, a\n           technology control plan is also required and should contain procedures to prevent\n           unauthorized access to export-controlled technology by using unique badging,\n           segregated work areas, and other security measures as appropriate.\n\n           Technology Transfer Guidance. DoD Directive 2040.2, \xe2\x80\x9cInternational\n           Transfers of Technology, Goods, Services, and Munitions,\xe2\x80\x9d January 17, 1984,\n           provides guidance to manage, control, and limit the transfer or export of\n           technology, goods, services, and munitions consistent with U.S. foreign policy\n           and national security objectives that minimally interfere with the conduct of\n           legitimate trade and scientific endeavors. The Directive assigns overall\n           responsibilities for international transfers of defense-related technology, goods,\n           services, and munitions. Specifically, the Under Secretary of Defense for Policy\n           is responsible for preparing technology transfer and export control policies and\n           the Under Secretary of Defense for Acquisition, Technology, and Logistics is\n           responsible for overseeing the implementation of DoD technology transfer\n           policies for all research, development, and acquisition matters.\n\n           The Inspector General of the Department of Defense (IG DoD) issued Report\n           No. D-2000-110, \xe2\x80\x9cExport Licensing at DoD Research Facilities,\xe2\x80\x9d March 24,\n           2000, which evaluated the adequacy of DoD policies and procedures for\n           determining whether export licenses were required prior to the release of\n           controlled technologies to foreign nationals visiting DoD research facilities. The\n           audit concluded that DoD research facilities did not have adequate procedures in\n           place for determining whether an export license was required for the release of\n           export-controlled technology. As a result, a recommendation was made to the\n           Under Secretary of Defense for Policy to revise DoD Directive 2040.2, to clearly\n           state polices, procedures, and responsibilities of DoD and Military Department\n           hosts for determining whether an export license is required for the release of\n           export-controlled technology when foreign nationals visit a DoD facility. The\n           Deputy Under Secretary of Defense for Technology Security Policy and\n           Counterproliferation stated that as of December 2003, the revision to the\n           Directive was ongoing because it required an extensive amount of time and work;\n           however, she planned to have the revision completed sometime in 2004.\n\n           Interim DoD Guidance. On November 7, 2002, the Deputy Under Secretary of\n           Defense for Technology Security Policy and Counterproliferation issued interim\n           guidance on export controls for biological agents.1 Although the memorandum is\n           specific to biological agents, the interim policy is applicable to all DoD facilities\n           responsible for controlling the release of technology and technical data. The\n           interim guidance included draft follow-on guidance entitled \xe2\x80\x9cManaging Foreign\n           Access: Implementing DoD Guidance on Restricted Technology,\xe2\x80\x9d which defines\n           responsibilities for DoD program managers and on-site program and security\n\n1\n    The interim guidance was issued in response to IG DoD Report No. D-2003-021, \xe2\x80\x9cExport Controls Over\n    Biological Agents (U),\xe2\x80\x9d November 12, 2002.\n\n\n\n                                                    6\n\x0c    managers for ensuring export control compliance. As of March 2004, the draft\n    follow-on guidance had not been finalized.\n\n    If the draft interim guidance on export controls and managing foreign access is\n    formally approved and implemented, DoD program managers with access to\n    export-controlled biological technology will be required to have a technology\n    security control plan that details security measures to ensure that only authorized\n    foreign nationals are allowed access. The guidance will also require site\n    managers to have a foreign access control plan that tracks foreign access\n    authorizations and ensures that the site security manager controls foreign national\n    access by maintaining background check documentation, using a badging system,\n    and notifying the foreign nationals of access limitations. DoD and DoD contract\n    personnel with access to export-controlled biological technology will also be\n    required to receive periodic site inspections and training. The Deputy Under\n    Secretary of Defense for Technology Security Policy and Counterproliferation\n    stated that the guidance will be formalized as soon as possible. While this\n    guidance was designed to safeguard export-controlled biological technology, it\n    should be expanded to identify the elements of technology security and foreign\n    access control plans and require coordination with counterintelligence, security,\n    and foreign disclosure personnel for all export-controlled technology.\n\n\nAwareness and Prevention of Unauthorized Disclosure\n    DoD does not have adequate processes to identify unclassified export-controlled\n    technology and to prevent unauthorized disclosure. Of the 11 contractors,\n    6 universities, and 3 FFRDCs visited, 15 stated that they relied on the contract to\n    identify whether technology was export controlled. In addition, while all the\n    universities were knowledgeable of Federal export laws and regulations, 3 of the\n    11 contractors and 1 of the 3 FFRDCs were unaware of those requirements.\n\n    Identifying Export-Controlled Technology. Contractors, universities, and\n    FFRDCs used different methods to determine if contracts contain restrictions,\n    such as export-controlled technology. Of the seven contractors, six universities,\n    and two FFRDC who relied on the contract:\n\n           \xe2\x80\xa2   Six contractors, two universities, and two FFRDCs relied solely on the\n               contract to alert the facility that the contract may contain export-\n               controlled technology that is subject to Federal export control laws.\n\n           \xe2\x80\xa2   One contractor and four universities reviewed the contract, but\n               supplemented their review with additional analysis.\n\n    However, three contractors and one FFRDC did not rely on the contract to\n    identify export-controlled technology, but instead performed their own analysis.\n    For example, one of the three contractors identified export-controlled technology\n    in four contracts using the EAR and ITAR and obtained the required authorization\n    from the U.S. Government licensing authority for those technologies. None of\n    those four contracts had language that identified Federal export laws or\n    restrictions on foreign nationals. If that contractor had relied on the contract, the\n\n\n                                          7\n\x0c           export-controlled technology may not have been identified. One contractor had\n           no method for identifying export-controlled technology. During the audit, we\n           identified three basic types of clauses, which varied by contract, that could alert\n           the facility to the fact that the contract might contain technology that is subject to\n           export control laws. The three clauses reference Federal export laws and\n           regulations, access by foreign nationals, and publication restrictions.\n\n                   Clauses That Reference Export Control Laws. For the 20 contractors,\n           universities, and FFRDCs visited, a total of 31 contracts were determined2 to\n           contain export-controlled technology. Of those 31 contracts, 8 had clauses that\n           referenced Federal export control laws. Those clauses identified the laws and\n           regulations, but provided little detail on their application as it related to the\n           contract. For example, one contract clause stated that the export of controlled\n           information, without first obtaining approval or a license for items controlled by\n           the EAR or the ITAR, might constitute a violation of law. Although the clause\n           alerted the facility to the existence of export laws and the need to comply, it failed\n           to identify what technology needed to be controlled.\n\n                    Clauses That Reference Access by Foreign Nationals. Eight of the\n           31 contracts that involved export-controlled technology contained clauses that\n           pertained to access by foreign nationals. Those clauses normally stipulate\n           measures that must be taken to utilize foreign nationals in the performance of the\n           contract. The clauses do not state if the restriction on use of foreign nationals was\n           due to Federal export laws, nor do they identify the technology involved in the\n           contract that required the restriction. For example, one contract contained a\n           restrictive clause that required the facility to receive approval from the\n           contracting officer before using foreign nationals. However, the contracting\n           officer approval does not exempt the facility from obtaining an export license or\n           other authorized approval.\n\n                    Clauses That Restrict Publication. Twenty-one of the 31 contracts that\n           involved export-controlled technology contained clauses for restrictions on\n           publication. Those clauses placed constraints on the publication and release of\n           information pertaining to the contract. One contract used a clause requiring the\n           contractor to receive approval from the contracting officer before releasing any\n           information resulting from the contract performance. Another contract clause\n           restricted release of information to anyone other than DoD. Despite alerting the\n           facility that information may need to be controlled, the clauses did not identify the\n           reason for the publication restrictions or the specific portions of the program to be\n           controlled.\n\n           Preventing Unauthorized Disclosure. Three of the 11 contractors and 1 of the\n           3 FFRDCs were generally unaware of the Federal export laws and regulations to\n           either obtain a license or prevent unauthorized disclosure of export-controlled\n           technology. When releasing export-controlled technology to foreign nationals,\n           Federal export laws and regulations require an entity to obtain either an export\n           license or other authorized approval or to qualify for an exemption. If the facility\n\n2\n    The Defense Technology Security Administration and the IG DoD reviewed and identified at least\n    31 contract statements of work that involved export-controlled technology. In addition, a contractor\n    independently identified export-controlled technology in two statements of work.\n\n\n\n                                                       8\n\x0c           does not obtain a license or qualify for an exemption, it must have controls in\n           place to ensure that foreign nationals do not have access to export-controlled\n           technology. While all six universities were aware of Federal laws and regulations\n           for export-controlled technology, most university contracts we reviewed qualified\n           for an exemption to Federal export regulations.\n\n                   Universities. All six of the universities applied the fundamental research\n           exemption3 for a majority of their DoD contracts. The exemption allows the\n           universities to perform research while maintaining a public and open atmosphere\n           that promotes a culture of academia. Although the universities foster an open and\n           sharing atmosphere for research, three universities were aware of accepting\n           contracts involving export-controlled technologies. Those universities had\n           controls in place to prevent unauthorized disclosure, such as controlled access to\n           labs and badge requirements for specific buildings.\n\n                   Cleared Facilities. Of the 14 cleared facilities,4 3 contractors,\n           1 university, and 2 FFRDCs were generally unaware of the specific technology to\n           be controlled in their contracts. However, the cleared facilities generally had\n           controls in place to prevent unclassified export-controlled technology from\n           unauthorized disclosure if the facility identified that the contract may contain\n           export-controlled technology. The NISPOM requires that technology control\n           plans contain procedures to prevent unauthorized access by foreign nationals for\n           all export-controlled technology. A technology control plan should include\n           unique badging requirements for foreign nationals, segregated work areas, and\n           other security measures, as appropriate.\n\n                   Of the 14 cleared facilities, 105 had technology control plans, 12 informed\n           foreign nationals of access restrictions, and 9 provided some training on Federal\n           export laws and regulations. Thirteen had physical access controls, but only 8 of\n           the 14 cleared facilities required foreign nationals to wear unique badges.\n           Although cleared contractors, universities, and FFRDCs had controls in place to\n           prevent unauthorized disclosure when the export-controlled technology was\n           identified, they may not have extended those controls to unclassified export-\n           controlled technology that had not been identified.\n\n                    Uncleared Facilities. Of the six uncleared facilities, three uncleared\n           contractors were generally unaware of export licensing requirements to obtain a\n           license or other authorized approval or prevent unauthorized disclosure of export-\n           controlled technology to foreign nationals. Of the six uncleared facilities, one had\n           a technology control plan, three had informed foreign nationals of access\n           restrictions, and three had provided some training on Federal export laws and\n\n\n3\n    Fundamental research is an exemption to the export license requirements for both the EAR and ITAR and\n    is defined as basic and applied research where the resulting information is ordinarily published and\n    shared broadly within the scientific community.\n4\n    A cleared facility for the purposes of this report is a contractor, university, or FFRDC that is authorized to\n    work on classified contracts, store classified information at their own facility, has controls in place to\n    maintain a cleared status with DSS, and is required to comply with the NISPOM.\n5\n    One cleared contractor did not have foreign national employees, and thus, was not required to have a\n    technology control plan.\n\n\n\n                                                         9\n\x0c                                regulations. The six uncleared facilities had no physical access controls and did\n                                not require foreign nationals to wear unique badges.\n\n                                The following figure shows that the 14 cleared facilities judgmentally selected6\n                                for visits had better controls in place to prevent the unauthorized disclosure of\n                                export-controlled information to foreign nationals than the 6 non-cleared facilities\n                                judgmentally selected for visits.\n\n\n\n\n                                                   The Percentage of Facilities Visited\n                                                    with Specified Export Controls\n                                                                 Cleared      Non-cleared\n                                100%\n     Percentage of Facilities\n\n\n\n\n                                75%\n\n\n                                50%\n\n\n                                25%\n\n\n                                 0%\n                                        Technology       Foreign          Training    Physical        Badges\n                                       Control Plans     National                     Controls\n                                                       Informed of\n                                                       Limitations\n\n\n\n\nPolicies, Procedures, and Responsibilities\n                                While DoD has established clear guidance to identify and prevent unauthorized\n                                disclosure of critical data for its acquisition and classified programs, DoD does\n                                not have clearly defined policies for safeguarding unclassified export-controlled\n                                technology. Specifically, the Under Secretary of Defense for Policy guidance\n                                does not clearly delineate DoD responsibilities to identify export-controlled\n                                technology. In addition, the guidance does not provide sufficient policies and\n                                procedures to obtain reasonable assurance that contractors, universities, and\n\n6\n    Judgment sample does not generalize to universe.\n\n\n\n                                                                     10\n\x0c           FFRDCs obtain an export license, other authorized approval or exemption, or\n           prevent foreign nationals from unauthorized access to unclassified export-\n           controlled technology by ensuring that those requirements are included in the\n           contract. Also, the DFARS does not contain a standard clause that requires the\n           facility to comply with Federal export laws and regulations related to export-\n           controlled technology.\n\n           Identification of Critical Data in Program Management Plans. DoD\n           acquisition guidance (5000 series) requires DoD program managers to identify\n           classified and controlled unclassified data that require additional\n           counterintelligence and security support early in the research, development, and\n           acquisition process. When an acquisition program contains critical information,7\n           the program manager is required to develop a program protection plan8 and\n           countermeasures to prevent the exploitation of U.S. technology from unauthorized\n           disclosure. The program protection plan is a joint effort between program,\n           security, intelligence, and foreign disclosure personnel. DoD acquisition\n           guidance also requires the Under Secretary of Defense for Acquisition,\n           Technology, and Logistics to ensure that contracts that require access to critical\n           program information identify the critical information, describe any necessary\n           countermeasures, and allow access to facilities by DoD to review the program\n           protection plan implementation.\n\n           DoD export control guidance does not provide sufficient policies or procedures,\n           define responsibilities and accountability for identifying export-controlled\n           technology, or ensure compliance with Federal export laws and regulations.\n           Specifically, the Under Secretary of Defense for Policy has not developed export\n           control guidance commensurate with acquisition guidance. DoD Directive 2040.2\n           does not define the responsibilities of the DoD program manager or require the\n           program manager to develop a plan that identifies export-controlled technology.\n           In addition, DoD Directive 2040.2 does not require counterintelligence, security,\n           and foreign disclosure personnel to assist in the development of the plan that\n           identifies threats, vulnerabilities, and countermeasures required to prevent foreign\n           nationals from obtaining unauthorized access. Finally, the guidance does not\n           ensure that contracts that involve export-controlled technology identify the\n           technology, describe any necessary countermeasures, or require compliance\n           reviews.\n\n           Identification of Data in Contracts. The Federal Acquisition Regulation and\n           the DFARS clauses are the mechanisms used to convey specific requirements to\n           the contractor when executing a contract. The contracting officer is responsible\n           for the insertion of required clauses to ensure that contractors are aware of access\n           to classified information and to obtain reasonable assurance that the classified\n\n\n7\n    Critical program information is defined as information that, if compromised, would degrade combat\n    effectiveness, shorten the expected combat-effective life, or significantly alter program direction. Critical\n    program information can be classified military information, unclassified controlled information, or\n    technology.\n8\n    Elements of a program protection plan include a listing of the critical program information to be\n    protected; critical program information threats, vulnerabilities and countermeasures; a technology\n    assessment control plan; protection costs; and foreign disclosure and sales considerations.\n\n\n\n                                                        11\n\x0cdata is protected. Although clauses exist for classified data, similar clauses do not\nexist for unclassified technology subject to export control.\n\n        Classified Data. Federal and DoD acquisition guidance states that\ncontracting officers shall review all proposed solicitations to determine whether a\ncontractor may require access to classified information during contract\nperformance. If access might be required, the contracting officer shall ensure that\nthe standard security requirement clause is incorporated into the solicitation and\ncontract. The security requirement clause states that the facility shall comply\nwith the NISPOM and that the contractor must agree to insert the terms of the\nsecurity requirement clause in all subcontracts that involve access to classified\ninformation. While there is clear guidance for identification and protection of\nclassified data in solicitations and contracts, DoD guidance does not clearly\ndelineate responsibilities for identifying and preventing unauthorized disclosure\nof unclassified technology subject to export controls.\n\n        Export-Controlled Technology. The DFARS does not contain a\nstandard clause that identifies Federal export laws and regulations related to\nexport-controlled technology or the use of foreign nationals during the\nperformance of contracts. Of the 20 facilities visited, officials at 15 stated that\nthey relied on the solicitation and the contract to identify export-controlled\ntechnology. Officials at several facilities mentioned the importance of indicating\nthe potential for export-controlled technology in the solicitation. In one case, a\ncontractor stated that if the solicitation indicated the existence of export-\ncontrolled technology, he would not have expended resources in preparing a\nproposal because he did not have the controls in place to prevent unauthorized\naccess. In another case, university officials stated that after being awarded a\ncontract, the officials identified that the contract contained export-controlled\ntechnology and they had to determine whether they could prevent unauthorized\ndisclosure or otherwise terminate the contract.\n\nBecause the DFARS does not contain a standard clause to identify Federal export\nlaws and regulations, Military Services, Defense agencies, contractors,\nuniversities, and FFRDCs have developed their own prime and subcontract\nclauses. However, the clauses vary in detail by contracting office. For example,\none contract clause only warned that the technology was subject to the Arms\nExport Control Act and that violations were subject to severe criminal penalties.\nAir Force Material Command Federal Acquisition Regulation 5352.227-9000,\n\xe2\x80\x9cExport-Controlled Data Restrictions,\xe2\x80\x9d is another example. The Air Force\nMaterial Command regulation defines what constitutes a foreign national and\nexplicitly states that technical data generated or delivered under the contract is\ncontrolled by the ITAR. The Regulation also states that export licenses are\nrequired before allowing foreign nationals access the technology.\n\nContractor Guidance to Protect Critical Data. The NISPOM establishes\ncontractor requirements and necessary safeguards at cleared facilities to include\nprotection of classified data and export-controlled technology (classified or\nunclassified) from unauthorized access. Although the NISPOM outlines\nsafeguards and facility requirements to prevent unauthorized disclosure of\nclassified and export-controlled technology, the NISPOM assumes that the\ntechnology to be protected has been identified.\n\n\n                                     12\n\x0c            Safeguards. Safeguards are necessary to protect classified and export-\n    controlled technology. Specific to exports, the NISPOM states that contractors\n    shall not disclose export-controlled information and technology, classified or\n    unclassified, to a foreign person unless such disclosure complies with applicable\n    U.S. laws and regulations. Compliance with Federal export laws and regulations\n    requires that the entity obtain either an export license or other authorized approval\n    or qualify for an exemption. In addition, a technology control plan should be\n    developed and implemented to identify security measures necessary to prevent the\n    possibility of disclosure of unauthorized information to foreign national\n    employees and visitors if the entity does not obtain an export license. Controls\n    such as unique badging, escorts, and segregated work areas are recommended.\n    However, those safeguards alone may not adequately protect export-controlled\n    technology unless they are combined with other requirements, such as training\n    and periodic compliance reviews.\n\n            Training and Compliance Reviews. The NISPOM requires facilities\n    with authorized access to classified information to appoint a facility security\n    officer responsible for supervising and directing security measures. Facility\n    security officers must complete security training, the level of which is determined\n    by the facility\xe2\x80\x99s utilization of classified information. Security officers are also\n    responsible for training its cleared employees. Before granting access to\n    classified information, an employee should receive an initial security briefing that\n    includes security procedures, threat awareness, and employee obligations.\n    Refresher training is required to reinforce information provided during the initial\n    security briefing and to inform the employees of any changes in order to ensure\n    that safeguards are adequate. Security reviews by a cognizant security agency\n    and contractor self-assessments are also required on a reoccurring basis.\n    Although the NISPOM requires cleared facilities to perform training and conduct\n    periodic reviews, it does not ensure that the training and reviews will include\n    unclassified export-controlled technology.\n\n\nRelease of Export-Controlled Technology\n    Two contractors and one university granted foreign nationals access to\n    unclassified export-controlled technology without proper authorization. Of the\n    four uncleared contractors, two allowed foreign nationals access to export-\n    controlled technology without obtaining an export license or other authorized\n    approval or qualifying for an exemption. Of the six universities, at least one\n    university allowed foreign nationals access to export-controlled technologies\n    without obtaining an export license. Unauthorized access to unclassified export-\n    controlled technology could allow foreign nations to counter or reproduce the\n    technology and thus reduce the effectiveness of the program technology,\n    significantly alter program direction, or degrade combat effectiveness.\n\n    The contractors were involved with innovative research and development that\n    could have a significant technological impact if compromised. The contracts did\n    not identify the export-controlled technologies, and the contractors were unaware\n    of export law requirements and regulations or how to safeguard unclassified\n    export-controlled technology from unauthorized access.\n\n\n                                         13\n\x0c           Contractor A. Contractor A conducts DoD research and development on\n           robotics and logistics software while employing five foreign nationals from\n           Brazil, India, Macedonia, and South Korea. A contractor official stated that a\n           South Korean foreign national annually visited China. We found that foreign\n           nationals had unauthorized access to at least two of the five contracts that\n           involved export-controlled technologies.\n\n                   Contract One. Contract one involved efforts to develop an\n           intelligence/counterintelligence system for targeting and tracking individuals.\n           The system was determined to be export-controlled technology under ITAR Part\n           121, category XI(b). Category XI states that the following should be export-\n           controlled:\n                         Electronic systems or equipment specifically designed, modified, or\n                         configured for intelligence, security, or military purposes for use in\n                         search, reconnaissance, collection, monitoring, direction-finding,\n                         display, analysis, and production of information from the electro-\n                         magnetic spectrum and electronic systems or equipment designed or\n                         modified to counteract electronic surveillance or monitoring.\n\n                   The contract contained a clause restricting foreign nationals9 that required\n           the contractor to notify and receive approval from the contracting officer in order\n           for foreign nationals to participate in the contract. The DoD contracting officer\n           granted permission for a foreign national to participate in the performance of the\n           contract. However, that permission was not an exemption to the ITAR\n           requirements for an export license. The contractor is required to obtain an export\n           license or other authorized approval or qualify for an exemption for any foreign\n           nationals that are granted access to the export-controlled technology.\n\n                   Contract Two. Contract two involved efforts to develop an interface that\n           would allow military commanders to visually collaborate real-time data to\n           enhance understanding of situations, plans, and actions. Two unauthorized\n           foreign nationals participated in the contract and had access to the export-\n           controlled information. The system technology was export controlled under\n           ITAR Part 121, category XI(a). Category XI(a) states that command, control, and\n           communications systems including radios, navigation, and identification\n           equipment should be export controlled.\n\n                   The contract contained a clause restricting foreign nationals10 that required\n           the contractor to notify and receive approval from the contracting officer in order\n           for foreign nationals to participate in the contract. DoD contracting personnel\n           stated that permission for the two foreign nationals to work on the program was\n           not granted. The contractor should have obtained an export license or other\n           authorized approval or qualified for an exemption before any foreign nationals\n           were granted access to the export-controlled technology, or the technology should\n           have been safeguarded. The contractor stated that they relied on the contract to\n           identify export-controlled technology.\n9\n    The contract also contained a reference to export control laws.\n10\n     The contract also contained a publication clause that required the contractor to submit and receive\n    approval from the contracting officer before publishing information relating to the contract.\n\n\n\n                                                       14\n\x0c           Contractor A was unaware of the Federal export requirements and how to\n           implement those requirements. The contractor did not provide training and did\n           not have adequate access controls in place to safeguard the export-controlled\n           technology from unauthorized access by foreign nationals that worked at or\n           visited the facility. The contractor stated that personnel had not been provided\n           export control training because the contractor did not believe they were exporting\n           any export-controlled technology. Without export control training, the contractor\n           was unaware that they either needed to apply for an export license or establish\n           procedures to prevent the release of the technology to foreign nationals. Also, the\n           contractor did not adequately safeguard export-controlled technology at that\n           facility. During the review, we identified physical control deficiencies at the\n           facility. For example, the contractor had an open floor plan without physical\n           controls to prevent foreign nationals from access to export-controlled technology.\n\n           Contractor B. Contractor B conducts research and development on electronics\n           and engineering while employing foreign nationals from Australia, Italy, the\n           Netherlands, New Zealand, and South Africa. We found that foreign nationals\n           had unauthorized access to at least two of the four contracts that involved export-\n           controlled technologies.\n\n                  Contract One. Contract one involved the development of a missile\n           environmental monitor. An unauthorized foreign national participated in the\n           contract and had access to the export-controlled technology. The environmental\n           monitor was determined to be export-controlled technology under ITAR Part 121,\n           category IV(h). Category IV states the following should be export controlled:\n                        Launch vehicles and missile and anti-missile systems including but not\n                        limited to guided, tactical and strategic missiles, launchers, and systems\n                        . . . [and] all specifically designed or modified components, parts,\n                        accessories, attachments, and associated equipment for the articles in\n                        this category.\n\n                   The contract contained a publication restriction clause that required the\n           contractor to receive approval from the contracting officer before publishing\n           information relating to the contract. The contract did not identify the export-\n           controlled technologies. The contractor stated that they relied on the contract to\n           identify export-controlled technology and, therefore, did not consider any of the\n           technology to be subject to export controls.\n\n                  Contract Two. Contract two involved efforts to develop an\n           electromagnetic fuel valve system that is targeted for the F119 engine,11 which is\n           export controlled under ITAR Part 121, category VIII. Four unauthorized foreign\n           nationals participated in the contract and had access to the export-controlled\n           information. Category VIII states the following should be export controlled:\n                        Aircraft, including but not limited to helicopters, non-expansive\n                        balloons, drones, and lighter-than-air aircraft . . . [to include] Military\n                        aircraft engines . . . specifically designed or modified for the aircraft.\n\n\n11\n     The F119 engine powers the F/A-22 Raptor air dominance fighter.\n\n\n\n                                                       15\n\x0c        The contract did not contain any restrictive clauses and did not identify\nexport-controlled technologies. Because the electromagnetic fuel valve system\nwas export controlled, the contractor should have obtained an export license or\nother authorized approval or qualified for an exemption before any foreign\nnationals were granted access to the export-controlled technology. The contractor\nstated that they relied on the contract to identify restrictions, including export-\ncontrolled technology and, therefore, did not consider any of the technology to be\nexport controlled.\n\nContractor B was unaware of the Federal export requirements and how to\nimplement those requirements. The contractor did not provide training and did\nnot have adequate access controls in place to protect the export-controlled\ntechnology from unauthorized access by foreign nationals that worked at or\nvisited the facility. Management stated that personnel were not provided export\ncontrol training because the contractor did not believe they were exporting any\nexport-controlled technology. Without export control training, the employees did\nnot implement controls to safeguard the export-controlled technologies. During\nour review, we identified physical control deficiencies at the facility. For\nexample, the contractor had an open floor plan that did not segregate information\nin different programs. The contractor had a lab that required a key for access;\nhowever, unauthorized foreign nationals still had access. Within the lab, there\nwere no physical controls over any of the technology being developed.\n\nExport-Controlled Technologies at Universities. One university allowed\nforeign nationals access to export-controlled technologies without obtaining an\nexport license or other authorized approval or qualifying for an exemption. The\noverall risk of unauthorized foreign nationals gaining access to export-controlled\ntechnologies at universities is significant when universities are not aware of\nexport-controlled technologies. Generally, universities have large numbers of\nforeign national students. At one university, non-U.S. citizens comprised over\none quarter of its graduate student population. China, India, and South Korea\nwere the top three countries of origin for the international student population.\n\nFor the six universities, if the contract did not contain any restrictive language,\nthe universities generally presumed that the research was fundamental. However,\nwe identified one contract that involved export-controlled technologies at a\nuniversity where a foreign national had unauthorized access. The contract\ninvolved efforts to develop a military air campaign planning aid. The tasks\nincluded conducting interviews with Government-approved experts to identify\ndifferent kinds of local and global problems in air campaign plans. This type of\ninformation is export controlled under the ITAR Part 121, category XI(a).\nCategory XI(a) states that command, control, and communications systems\nincluding radios, navigation, and identification equipment should be export\ncontrolled. At least one unauthorized foreign national participated in the\nperformance of the contract and had access to the export-controlled information.\n\nThe university stated that if the contract did not contain restrictive language, they\nconsidered the research fundamental and exempt from obtaining an export\nlicense. The contract did not contain any restrictive language; therefore, the\nuniversity concluded that the contract was fundamental research. However, the\ncontract also involved some classified information. The NISPOM requires review\n\n\n                                     16\n\x0c    and approval before public release of any information related to a contract that\n    contains classified information. The program did not qualify for the fundamental\n    research exemption because the university could not publish the results of the\n    program without DoD review and approval. The university should have obtained\n    the proper authorization for the foreign national or safeguarded the\n    export-controlled information.\n\n    At least one unauthorized foreign national had access to export-controlled\n    technologies because the contract did not identify the controlled technologies and\n    the university incorrectly applied the fundamental exemption. Because a primary\n    goal of universities is the open exchange of knowledge, the risk of unauthorized\n    foreign nationals being granted access to export-controlled technologies is\n    significant.\n\n\nConclusion\n    DoD does not have adequate processes to identify unclassified export-controlled\n    technology and to prevent unauthorized disclosure. The Under Secretary of\n    Defense for Acquisition, Technology, and Logistics and the Deputy Under\n    Secretary of Defense for Technology Security Policy and Counterproliferation\n    should develop and implement guidance for export-controlled technology\n    commensurate with acquisition and classified program guidance. The DFARS\n    should be changed to incorporate the requirements of Federal export laws and\n    regulations and to ensure that DoD program managers and contracting officers\n    incorporate the requirements into contractual language when the contracts involve\n    export-controlled technology. In addition, guidance for export-controlled\n    technology should be developed and expanded to include DoD and facility\n    personnel responsibilities and requirements applicable to all export-controlled\n    technology. The guidance implementation should provide reasonable assurance\n    that facilities are aware of the export-controlled technology regulations and do not\n    inadvertently allow foreign nationals unauthorized access to export-controlled\n    technology. Until DoD program managers are held accountable for identifying\n    export-controlled technology and are assured that facilities obtain authorized\n    approval or have controls in place to protect the export-controlled technology,\n    DoD will be at increased risk of other nations countering or reproducing the\n    technology, thus reducing its effectiveness.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    Revised Recommendation. As a result of management comments, we revised\n    Recommendation 1.a.(3) to include unique badging requirements for foreign\n    nationals and segregated work areas where controlled technology is involved.\n\n    1. We recommend that the Deputy Under Secretary of Defense for\n    Technology Security Policy and Counterproliferation:\n\n\n\n                                        17\n\x0c      a. Expand \xe2\x80\x9cInterim Guidance on Export Controls for Biological\nAgents,\xe2\x80\x9d November 7, 2002, to:\n\n              (1) Encompass all export-controlled technology.\n\n               (2) Require program managers, in coordination with\ncounterintelligence, security, and foreign disclosure personnel to:\n\n                       (a) Identify export-controlled technology, foreign\nnational restrictions, and licensing requirements.\n\n                      (b) Identify threats by foreign countries that are\ntargeting the specific technologies.\n\n                     (c) Identify vulnerabilities and countermeasures to\nprotect the export-controlled technology.\n\n               (3) Require program managers and contracting officers to\nensure that contracts identify the export-controlled technology and contain\nrequirements to maintain an access control plan, including unique badging\nrequirements for foreign nationals and segregated work areas for controlled\ntechnology; perform export compliance training; conduct annual self-\nassessments; and comply with Federal export laws by obtaining an export\nlicense, other authorized approval or exemption, or by safeguarding the\ntechnology when contracts involve export-controlled technology or\ninformation.\n\n       b. Incorporate the interim guidance into the revision of DoD\nDirective 2040.2, \xe2\x80\x9cInternational Transfers of Technology, Goods, Services,\nand Munitions\xe2\x80\x9d January 17, 1984, to include the roles and responsibilities of\nthe program managers, counterintelligence, security, and foreign disclosure\npersonnel.\n\nManagement Comments. The Deputy Under Secretary of Defense for\nTechnology Security Policy and Counterproliferation concurred in general with\nthe Finding and Recommendation 1. Specifically, the Deputy Under Secretary\nstated that issues raised by the Services on the initial draft guidance were\ncurrently being resolved and that she plans to issue the revised guidance\napplicable to all export-controlled technology in April 2004. Although she agreed\nthat additional policy guidance would be helpful, she also stated that guidance\nalready exists that clearly prohibits the transfer of controlled technology by all\nGovernment and private entities without an export license, authorization, or\nexemption; includes detailed Commerce Control List and U.S. Munitions List\nitem references; and establishes points of contact to answer licensing questions.\nIn addition, the Deputy Under Secretary stated that teams of functional area\nexperts will soon be available to brief program managers, research center\npersonnel, and other interested parties on request. Based on the guidance already\navailable by her office, the Deputy Under Secretary does not believe there is\njustification for further delay in the adoption and implementation of Technology\nControl Plans and Foreign Access Control Plans.\n\n\n\n                                    18\n\x0cAudit Response. The Deputy Under Secretary of Defense for Technology\nSecurity Policy and Counterproliferation comments were fully responsive.\nAlthough we agree there should be no further delays in the adoption and\nimplementation of Technology Control Plans and Foreign Access Control Plans,\nwe do not agree that the interim and follow-on guidance is fully effective.\nAlthough the interim guidance can be applied to all DoD facilities responsible for\ncontrolling the release of technology and technical data, the guidance was\nspecifically designed to safeguard export-controlled biological technology. In\naddition, DoD facilities responsible for controlling the release of technology and\ntechnical data may be hesitant to implement the follow-on draft guidance due to\nthe likelihood of changes that may occur between draft and final. Formally\napproving and expanding the guidance to include all export-controlled technology\nshould ensure a DoD-wide dissemination of policy and the implementation of\ncontrols over the release of export-controlled technology and technical data.\n\n2. We recommend that the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics:\n\n      a. Develop and incorporate into the Defense Federal Acquisition\nRegulation Supplement an export compliance clause that requires that the\ncontractor:\n\n               (1) Comply with Federal export regulations and DoD guidance\nfor export-controlled technology and technical data by obtaining an export\nlicense, other authorized approval or exemption, and preventing\nunauthorized disclosure to foreign nationals.\n\n              (2) Incorporate the terms of the clause in all subcontracts that\ninvolve export-controlled technology.\n\n               (3) Conduct initial and periodic training on export compliance\ncontrols for those employees who have access to export-controlled\ntechnology.\n\n              (4) Perform periodic self-assessments to ensure compliance\nwith Federal export laws and regulations.\n\n       b. Require that contracting officers incorporate the appropriate\nexport compliance clause into the solicitation and contract.\n\nUnder Secretary of Defense for Acquisition, Technology and Logistics\nComments. The Under Secretary of Defense for Acquisition, Technology, and\nLogistics concurred with Recommendation 2. Specifically, the Under Secretary\nof Defense for Acquisition, Technology, and Logistics will initiate the process of\nchanging the Defense Federal Acquisition Regulation Supplement in accordance\nwith the recommendation, and the process will take an estimated 10 months to\ncomplete. The Director, Defense Research and Engineering, in consultation with\nthe Director for International Cooperation, will ensure that DoD Components that\nissue science and technology contracts are aware of the Federal export regulations\nand the planned changes to the Defense Federal Acquisition Regulation\n\n\n\n                                    19\n\x0cSupplement. The Director, Defense Research and Engineering will also ensure\nthat the science and technology contracts comply with those changes.\n\nDeputy Under Secretary of Defense for Technology Security Policy and\nCounterproliferation Comments. Although not required to comment on\nRecommendation 2., the Deputy Under Secretary of Defense for Technology\nSecurity Policy and Counterproliferation agreed that DoD contracts should\nexplicitly state the obligations of contractors when performing work on behalf of\nthe Government.\n\n\n\n\n                                    20\n\x0cAppendix A. Scope and Methodology\n            We reviewed the Export Administration Act, the Arms Export Control Act, and\n            the associated EAR and the ITAR. In addition, we evaluated the adequacy of\n            DoD directives, policies, regulations, and memorandums related to the disclosure\n            and transfer of militarily sensitive and critical technologies to foreign nationals\n            from 1980 through 2003. We performed this audit from June 2003 through\n            January 2004 in accordance with generally accepted government auditing\n            standards. Our scope was limited due to time and resource constraints.\n            Specifically, we were unable to interview a sufficient number of program\n            management and contracting officials to determine why export-controlled\n            technology was not identified in the contracts.\n\n            To determine the adequacy of established DoD policies and procedures to prevent\n            the transfer of export-controlled technologies and technical information to foreign\n            nationals, we judgmentally selected 20 facilities to visit (11 contractors,\n            6 universities, and 3 FFDRCs). We were unable to identify a reliable universe of\n            DoD-sponsored facilities conducting research and development or producing\n            products that may contain export-controlled technology. Using the Defense\n            Security Service annual report \xe2\x80\x9cTechnology Collection Trends in the U.S.\n            Defense Industry 2003,\xe2\x80\x9d we identified targeted technology and collection\n            techniques used by foreign entities. The facilities were then selected through\n            various means such as Internet queries and requests by DoD officials to visit\n            facilities that performed contractual work on Defense Security Service-identified\n            targeted technology. We also selected facilities involved with the Small Business\n            Innovative Research and the Small Business Technology Transfer1 programs.\n            During the facility visits, we reviewed contracts to determine whether export-\n            controlled technology was identified.\n\n            We reviewed 116 contracts to identify clauses that could have alerted facilities\n            that the contract may involve export-controlled technology. For the purposes of\n            this report, we combined prime contracts and sub-contracts with identical\n            statements of work as one contract. Specifically, we examined the contracts to\n            identify Federal export laws and regulations, restrictions on access by foreign\n            nationals, and restrictions on the publication of contract results. Of the\n            116 contracts we reviewed, we obtained 94 statements of work. Of that 94, the\n            Defense Technical Service Administration reviewed 75 for export-controlled\n            technology. Of that 75, the Defense Technical Service Administration and the IG\n            DoD identified at least 31 statements of work that involved export-controlled\n            technology. In addition, a contractor independently identified export-controlled\n            technology in two statements of work. Of the 33 statements of work that should\n            have identified export-controlled technology in the contract, 20 contained at least\n            one reference to Federal export laws and regulations, foreign nationals, or\n            publication restrictions.\n\n1\n    The Small Business Innovation Research program funds early stage research at small technology\n     companies to stimulate technological innovation and increase small business participation. The Small\n     Business Technology Transfer program is a similar program in structure, but funds cooperative projects\n     involving a small business and a research institution.\n\n\n\n                                                      21\n\x0c    At each facility, we interviewed contracting and project managers, security,\n    human resources, and legal personnel, when applicable, to determine their\n    knowledge of Federal export laws and regulations and to identify controls in place\n    to prevent the export-controlled technology from unauthorized disclosure.\n    Additionally, we conducted interviews with officials from the Office of the Under\n    Secretary of Defense for Acquisition, Technology, and Logistics and its\n    components; the Under Secretary of Defense for Policy and its components; the\n    Under Secretary of Defense for Intelligence; the Deputy Under Secretary of\n    Defense for Industrial Policy; the Secretary of the Air Force International Affairs;\n    the Navy International Programs Office; the Office of Naval Research; the Army\n    Aviation and Missile Command; and the Army Space and Missile Defense\n    Command. Outside of DoD, we met with Department of Commerce Bureau of\n    Industry and Security, the Department of State Office of Defense Trade Controls,\n    and the Federal Bureau of Investigation.\n\n    Use of Computer-Processed Data. We did not use computer processed data to\n    perform this audit.\n\n    Use of Technical Assistance. Technical engineers from Defense Technology\n    Security Administration provided assistance to the team during the course of this\n    project. The engineers reviewed 75 of the 94 statements of work to determine\n    whether they included export-controlled technology. The Defense Technology\n    Security Administration identified 52 contracts that contained export-controlled\n    technology, and we reviewed those contracts for restrictive clauses. Analysis by\n    the Defense Technology Security Administration provided additional support for\n    the finding.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of management controls that provides reasonable assurance that programs\n    are operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of the Review of the Management Control Program. We evaluated\n    whether critical technologies and information at DoD-sponsored contractor,\n    university, and FFRDC facilities were effectively controlled. We reviewed the\n    adequacy of the policies and procedures the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics and the Deputy Under Secretary of\n    Defense for Technology Security Policy and Counterproliferation had for\n    preventing the transfer of unauthorized export-controlled technology with\n    potential military application to countries of concern. We also reviewed\n    management\xe2\x80\x99s self-evaluation applicable to those controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weakness within DoD as defined by DoD Instruction 5010.40.\n    Specifically, critical technology and information contracted to DoD-sponsored\n    facilities were not effectively controlled. We attribute this weakness to the lack\n\n\n                                         22\n\x0cof guidance related to export-controlled technology. The Under Secretary of\nDefense for Acquisition, Technology, and Logistics and the Deputy Under\nSecretary of Defense for Technology Security Policy and Counterproliferation\nhave not developed adequate management controls to ensure that program\nmanagers identify export-controlled technology in contracts or obtain reasonable\nassurance that contractors comply with Federal export laws. The\nrecommendations, if implemented, will provide the Office of the Secretary of\nDefense with a more effective tool to manage its export control program and\nprevent the unauthorized transfer of export-controlled technology. A copy of the\nreport will be provided to the Office of the Secretary of Defense officials\nresponsible for the formation and implementation of DoD export controls.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. DoD officials did not identify\npolicies and procedures regarding export-controlled technology as an assessable\nunit and, therefore, did not identify or report the material management control\nweakness identified by the audit.\n\n\n\n\n                                   23\n\x0cAppendix B. Prior Coverage\n    During the last 5 years, Congress, the General Accounting Office (GAO) and the\n    IG DoD have conducted multiple reviews discussing the adequacy of\n    management controls over transfers of sensitive and critical DoD technology with\n    potential military application to foreign nationals. Unrestricted GAO reports can\n    be accessed over the Internet at http://www.gao.gov. Unrestricted IG DoD\n    reports can be accessed at http://www.dodig.osd.mil/audit/reports. The following\n    previous reports are of particular relevance to the subject matter in this report.\n\n\nGAO\n    General Accounting Office Report No. GAO-02-972, \xe2\x80\x9cExport Controls:\n    Department of Commerce Controls over Transfers of Technology to Foreign\n    Nationals Need Improvement,\xe2\x80\x9d September 6, 2002\n\n    General Accounting Office Report No. GAO-02-63, \xe2\x80\x9cDefense Trade: Lessons to\n    Be Learned from the Country Export Exemption,\xe2\x80\x9d March 29, 2002\n\n\nIG DoD\n    IG DoD Report No. D2003-070, \xe2\x80\x9cExport Controls: DoD Involvement in Export\n    Enforcement Activities,\xe2\x80\x9d March 28, 2003\n\n    IG DoD Report No. D-2003-021, \xe2\x80\x9cSecurity: Export Controls Over Biological\n    Agents (U),\xe2\x80\x9d November 12, 2002\n\n    IG DoD Report No. D-2002-039, \xe2\x80\x9cAutomation of the DoD Export License\n    Application Review Process,\xe2\x80\x9d January 15, 2002\n\n    IG DoD Report No. D-2001-088, \xe2\x80\x9cDoD Involvement in the Review and Revision\n    of the Commerce Control List and the U.S. Munitions List,\xe2\x80\x9d March 23, 2001\n\n    IG DoD Report No. D-2001-007, \xe2\x80\x9cForeign National Security Controls at DoD\n    Research Laboratories,\xe2\x80\x9d October 27, 2000\n\n    IG DoD Report No. D-2000-130, \xe2\x80\x9cForeign National Access to Automated\n    Information Systems,\xe2\x80\x9d May 26, 2000\n\n    IG DoD Report No. D-2000-110, \xe2\x80\x9cExport Licensing at DoD Research Facilities,\xe2\x80\x9d\n    March 24, 2000\n\n    IG DoD Report No. 99-186, \xe2\x80\x9cReview of the DoD Export Licensing Processes for\n    Dual-Use Commodities and Munitions,\xe2\x80\x9d June 18, 1999\n\n\n\n                                        24\n\x0cCongressional\n    Congressional Report No. RL31845, \xe2\x80\x9cSensitive but Unclassified and Other\n    Federal Security Controls on Scientific and Technical Info: History and Current\n    Controversy,\xe2\x80\x9d April 2, 2003\n\n\nInteragency Reviews\n    Inspectors General of the Departments of Commerce, Defense, State, and the\n    Treasury; the Central Intelligence Agency; and the United States Postal Service\n    Report No. D-2003-069, \xe2\x80\x9cInteragency Review of Federal Export Enforcement\n    Efforts,\xe2\x80\x9d April 18, 2003\n\n    Inspectors General of the Departments of Commerce, Defense, Energy, State, and\n    the Treasury Report No. D-2002-074, \xe2\x80\x9cInteragency Review of Federal Automated\n    Export Licensing Systems,\xe2\x80\x9d March 29, 2002\n\n    Inspectors General of the Departments of Commerce, Defense, Energy, and State\n    Report No. D-2001-092, \xe2\x80\x9cInteragency Review of the Commerce Control List and\n    the U.S. Munitions List,\xe2\x80\x9d March 23, 2001\n\n    Inspectors General of the Departments of Commerce, Defense, Energy, and State\n    Report No. D-2000-109, \xe2\x80\x9cInteragency Review of the Export Licensing Process\n    for Foreign National Visitors,\xe2\x80\x9d March 24, 2000\n\n    Inspectors General of the Departments of Commerce, Defense, Energy, State, and\n    the Treasury, and the Central Intelligence Agency Report No. 99-187,\n    \xe2\x80\x9cInteragency Review of the Export Licensing Processes for Dual-Use\n    Commodities and Munitions,\xe2\x80\x9d June 18, 1999\n\n\n\n\n                                       25\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and\n Logistics\n  Deputy Under Secretary of Defense (International Technology\n   Security)\n  Director, Defense Procurement and Acquisition Policy\n  Director of Defense Research and Engineering\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nUnder Secretary of Defense for Policy\n  Deputy Under Secretary of Defense (Technology Security\n   Policy and Counterproliferation)\nUnder Secretary of Defense for Intelligence\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Security Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\nDirector, National Security Agency\nInspector General, Department of Commerce\nInspector General, Department of Energy\nInspector General, Department of Homeland Security\nInspector General, Department of State\nInspector General, Central Intelligence Agency\n\n\n\n                                          26\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nSenate Select Committee on Intelligence\nSenate Committee on Foreign Relations\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\nHouse Committee on International Relations\nHouse Subcommittee on National Security Emerging Threats\n and International Relations\nHouse Permanent Select Committee on Intelligence\n\n\n\n\n                                        27\n\x0c\x0cUnder Secretary of Defense for Acquisition,\nTechnology, and Logistics Comments\n\n\n\n\n                       29\n\x0c30\n\x0c     Final Report\n      Reference\n\n\n\n\n     Page 4\n     Revised\n\n\n\n     Page 5\n\n     Revised\n\n\n     Page 7\n\n     Revised\n\n\n\n\n     Page 11\n\n     Revised\n\n\n     Page 18\n\n\n\n     Page 14\n\n     Page 14\n\n\n\n\n31\n\x0c               Deputy Under Secretary of Defense for\n               Technology Security Policy and\n               Counterproliferation Comments\nFinal Report\n Reference\n\n\n\n\nAdded text\n\n\n\n\n                                     32\n\x0c33\n\x0cTeam Members\nThe Readiness and Logistics Support Directorate, Office of the Deputy Inspector\nGeneral for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nShelton R. Young\nEvelyn R. Klemstine\nA. Dahnelle Alexander\nGary A. Clark\nBrett A. Mansfield\nJames E. Miniter\nSteve B. Bennett\nTroy R. Zigler\nSusann L. Cobb\n\x0c'